OpenClaw AI agents security has become a critical concern as adoption accelerates. OpenClaw is an AI agent framework that grants agents real system access—including shell command execution, file read/write operations, script execution, and integration with messaging apps, corporate email, and code repositories. Between January 27 and February 8, over 30,000 exposed instances were observed online, with later scans identifying 40,000 or more instances, and security researchers at Bitsight and SecurityScorecard tallying 135,000+ total exposed instances, of which more than 12,800 were directly exploitable via patched remote code execution vulnerabilities.
Key Takeaways
- Over 30,000–135,000+ OpenClaw instances exposed online with weak or no authentication controls
- 12% of ClawHub marketplace skills (341 out of 2,857) are malicious, with 335 from the ClawHavoc campaign distributing keyloggers and Atomic Stealer malware
- Real system access combined with unvetted third-party skills and undifferentiated memory creates multiple attack vectors
- Safe experimentation requires isolated environments, strict permission controls, human oversight of destructive operations, and active monitoring
- No “perfectly secure” setup exists; mitigation focuses on containment and detection rather than elimination of risk
The Real Threat: System Access Without Guardrails
OpenClaw’s fundamental design grants agents dangerous capabilities. Unlike browser-confined tools or sandboxed environments, OpenClaw AI agents can execute arbitrary shell commands, read sensitive files, write to disk, and trigger scripts—all with the privileges of the user or service running the agent. This architecture becomes catastrophic when combined with weak authentication. Current versions require passwords or tokens, but authentication lacks complexity enforcement; passwords as simple as “a” pass validation. Earlier versions offered no authentication option at all, meaning any attacker discovering an exposed instance could immediately gain system access.
The exposure scale demonstrates real-world risk. Between January 27 and February 8, Bitsight identified more than 30,000 exposed instances. Subsequent scans by SecurityScorecard found 135,000+ total exposed instances globally, with over 12,800 directly exploitable through known RCE vulnerabilities. Gen Threat Labs reported 18,000+ exposed instances, of which 15% contained malicious instructions already injected into agent memory. These are not theoretical numbers—they represent actual systems accessible to attackers right now.
Malicious Skills and Supply Chain Compromise
The ClawHub marketplace, where developers publish skills (plugins) for OpenClaw agents, has become a vector for malware distribution. Koi Security identified 341 malicious skills out of 2,857 total skills on the platform—approximately 12%—with 335 of those malicious skills originating from the “ClawHavoc” campaign. These skills distributed keyloggers and Atomic Stealer malware under innocuous names like “solana-wallet-tracker,” deceiving users into installing compromised code. Snyk researchers found an additional 283 skills leaking API keys through unsecured endpoints or plaintext storage. The total count of malicious or flawed skills approaches 900.
This supply chain risk reflects a fundamental architectural flaw: skills execute with full agent privileges and write directly to persistent memory without sandboxing or validation. An agent that installs a compromised skill grants that skill access to all system commands, file operations, and stored credentials. There is no sandboxing layer, no privilege separation, and no mechanism to revoke a skill’s access after installation without fully disabling the agent.
OpenClaw AI Agents Security: The OWASP Agent Risk Framework
Palo Alto Networks mapped OpenClaw’s architecture against the OWASP Agent Security Risk framework, revealing critical gaps across ten categories. The most damaging are: missing human-in-the-loop controls (no approval required before destructive operations like rm -rf or credential usage, even when influenced by untrusted memory); undifferentiated agent memory poisoning (all memory—web scrapes, user commands, third-party skills—stored identically without trust levels or expiration dates); and insecure third-party integrations (skills run with full privileges without sandboxing).
Additionally, OpenClaw lacks privilege separation—a single agent handles untrusted input and high-privilege actions using shared memory—and relies on upstream LLM models without fine-tuning data or safety validation. The framework includes no runtime monitoring or guardrails; there is no policy layer governing memory retrieval, reasoning, or tool invocation, and no anomaly detection to flag suspicious agent behavior. As OpenClaw documentation itself states: “There is no ‘perfectly secure’ setup.” This admission is critical. Security here is not about achieving perfection but about managing and containing inherent risks.
How to Safely Experiment with OpenClaw AI Agents Security
Safe experimentation requires three layers of control: isolation, permissions, and oversight. First, isolation means running OpenClaw in a dedicated, air-gapped environment—a virtual machine, container, or separate physical machine with no network access to production systems, corporate repositories, or sensitive data stores. Never run OpenClaw on a machine with access to your real email, Slack, GitHub, or database credentials. If the agent is compromised, isolation limits the attacker’s reach to that one environment.
Second, permissions must be explicitly restricted. Create a dedicated user account for the OpenClaw process with minimal system privileges. Use filesystem permissions to prevent the agent from reading sensitive directories or writing to system files. If the agent needs to interact with external services (APIs, databases, messaging platforms), provision temporary, read-only credentials scoped to the specific task, not long-lived tokens with broad access. Rotate these credentials frequently and revoke them immediately after experimentation ends. Do not reuse production credentials for testing.
Third, implement active oversight. Before installing any skill from ClawHub, audit its code for suspicious patterns—network calls to unknown domains, credential usage, file write operations, or shell execution. Use VirusTotal or similar tools to scan skills for known malware signatures. Monitor the agent’s runtime behavior: log all system calls, file operations, and network connections. Set up alerts for anomalies—unexpected process execution, large data transfers, or attempts to access restricted directories. If the agent exhibits suspicious behavior, kill the process immediately and isolate the environment.
Additionally, treat agent memory as untrusted. Do not allow the agent to ingest arbitrary web content, emails, or user-provided documents without validation. Memory poisoning—where malicious or misleading information influences the agent’s reasoning—is a silent attack vector. Limit what data the agent can access and implement expiration policies so old, potentially stale information does not influence decisions over time. For destructive operations (file deletion, credential usage, external data transmission), require explicit human approval before the agent executes the command, even if the agent’s reasoning appears sound.
Why Uninstalling Entirely Is Not Realistic
Some security advisories recommend immediate uninstallation of OpenClaw. This is hyperbolic. If OpenClaw solves a genuine business problem—automating routine tasks, processing documents, managing workflows—total avoidance is not practical. Instead, accept that risk exists and design controls around it. The goal is not zero risk but managed, contained risk with active detection and rapid response capabilities. Isolation, strict permissions, and monitoring make experimentation significantly safer than running OpenClaw with default settings on a production machine with unrestricted network access and broad credentials.
What Changed and What Remains Broken
OpenClaw has made incremental improvements. The framework removed the “gateway auth mode ‘none'” option, now requiring token or password authentication (though Tailscale Serve identity is still allowed). OpenClaw issued advisories for one-click RCE and two command injection vulnerabilities. The team added VirusTotal integration and community reporting for malicious skills. However, the core architectural issues persist: unvetted ClawHub skills, no sandboxing, undifferentiated memory, and no human-in-the-loop for destructive operations. These are not bugs to be patched; they are design choices that would require fundamental rearchitecture to fix.
Is OpenClaw AI agents security improving?
Yes, incrementally. Authentication is now mandatory, RCE vulnerabilities have been patched, and malware detection tools have been integrated. However, the core vulnerabilities—unvetted skills, lack of sandboxing, and missing human oversight—remain. Improvements are necessary but insufficient without proper isolation and monitoring on the user’s end.
Can OpenClaw be used safely in production?
Only with strict isolation, limited permissions, and active monitoring. Run it in a dedicated, air-gapped environment with read-only or temporary credentials. Audit all skills before installation. Monitor runtime behavior continuously. Never grant OpenClaw access to production systems, real credentials, or sensitive data. If your use case requires that level of access, the risk is too high.
What should I do if I have OpenClaw running now?
Immediately audit your instance: check what skills are installed, review what data the agent can access, verify what credentials it holds, and confirm what system privileges it has. If it is running on a production machine with broad access, isolate it immediately—move it to a dedicated environment or shut it down. Change any credentials the agent has accessed. Monitor your systems for signs of compromise (unusual process execution, unexpected network connections, file modifications). If you detect suspicious activity, assume breach and initiate incident response.
OpenClaw AI agents security is ultimately about accepting that powerful tools come with real risks. The framework grants agents capabilities that are genuinely useful but genuinely dangerous if misused or compromised. Safe experimentation is possible—but it requires discipline, isolation, and constant vigilance. There is no “set and forget” mode. If you lack the resources to monitor and maintain proper controls, OpenClaw is not a tool for your environment.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
